Preparation

Windows Developer VM

There are several Windows executables that need to be downloaded and compiled in Visual Studio. The easiest way to do this is to download and install a Windows Developer VM from here:

https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/

Kali

Kali is necessary for testing your reverse shells. We will run a netcat listener to catch any shells from our Windows target VM.

Windows Target VM

This is the VM that we will use to test our reverse shell. Make sure the VM is on a subnet that is not connected to the internet, or switch off automatic sample submission. You don't want your newly created reverse shells to be submitted to Microsoft and neutered before you have a chance to use them.

AMSI

AMSI or the anti-malware scan interface is a Windows interface that integrates Powershell with any anti-malware products present on your Windows OS. Our goal is to evade anti-malware and AV scans when executing our Powershell code, therefore we need to bypass AMSI. There are many published AMSI bypass scripts available on the internet. Many of these bypasses have been caught and patched by Microsoft and no longer work. We can however, use them as a starting point. We can modify a published bypass in order to develop our own functioning AMSI bypass. In order to proceed we are going to need the following:

Existing AMSI bypass scripts

I have found the following github repo to an excellent starting point:

https://github.com/Abdulrhmanbk/Bypass-AMSI-2022

There are of course many more, Google is your friend for finding the latest and greatest AMSI bypasses.

AMSITrigger

Open Visual Studio on your Windows Developer VM and clone the following repository:

https://github.com/RythmStick/AMSITrigger.git

Hit ctrl+b to build AMSITrigger.exe. Copy the executable from the build location into your working directory.

Invoke-Obfuscation

Invoke-Obfuscation is a collection of powershell scripts that are used to automatically reorder and refactor your Powershelll code in order to break any signatures that AV or AMSI use in order to identify the code as malicious. Download the repo from:

https://github.com/danielbohannon/Invoke-Obfuscation.git

I used Visual Studio to clone the repo.

AMSI Bypass Methodology

Copy your chosen AMSI bypass to your Windows Developer VM and save it in .ps1 file in your current working directory. Before proceeding check it against AMSITrigger.exe to see if your chosen AMSI bypass actually needs to be modified:

.\AMSITrigger.exe -i AMSIBypass.ps1 -f 3

The resulting output will show you which lines of your Powershell triggered the AMSI. You might get lucky at this stage - particularly if the bypass is new. If AMSI has been triggered you can now use Invoke-Obfuscation to modify the Powershell in order to beat the detection. Windows Defender will prevent Invoke-Obfuscation from running so you will need to turn real-time protection off. Launch Invoke-Obfuscation by opening a terminal in Administrator mode:

Import-Module .\Invoke-Obfuscation.psd1
Invoke-Obfuscation

Once Invoke-Obfuscation has loaded you need to load the bypass into the application. Do this using the following command:

set SCRIPTBLOCK <Powershell code goes here>

You can experiment with the various options in Invoke-Obfuscation to modify your powershell and have a lot of fun doing so. However for a quick win I often find running TOKEN\ALL\1 to be very effective. When writing this article I chose an AMSI bypass that consisted of three lines of powershell script. I had to set and modify each line of the AMSI bypass seperately and then rebuild the AMSI bypass in a new .ps1 file. Once you have modified your AMSI bypass script, switch on Windows Defender real-time protection and run your bypass against AMSITrigger.exe again to see if any of your modified triggers AMSI.

Reverse Shell

So now we have a functioning AMSI Bypass we now need to generate a Powershell reverse shell one liner to add to our script. You can generate a reverse shell using revshells.com, msfvenom, Payloads All The Things or Github.

Test your chosen reverse shell!!

At this stage do yourself a favour and make sure the reverse shell works before spending time modifying it:

• Switch off real-time protection on your target Windows machine
• Setup a netcat listener on Kali,
• Make sure your Kali VM and your target VM are on the same subnet
• Launch the reverse shell and ensure you get a connection.

Invoke-Obfuscation part II

Now that you know your reverse shell works lets go about modifying it. Again use the set SCRIPTBLOCK command to load your reverse shell and then go to town modifying it. Once you have modified your powershell reverse shell it is time to check it against Windows Defender. You could just drop it on the desktop with real time protection enabled or you could use Threatcheck.exe from here:

https://github.com/rasta-mouse/ThreatCheck

Putting it all together

Take your working AMSI bypass and your Reverse shell and combine them into one .ps1 file. Copy it on to your Windows Target and let it rip. Hopefully you won't get caught by Windows Defender and you know have a solid reverse shell in your netcat listener on Kali.

Happy Hunting!